Resolves: 387851

Summary: Add configuration parameter to limit maximum allowed incoming SASL IO packet size.

4 files changed, 54 insertions, 2 deletions

diff --git a/ldap/servers/slapd/libglobs.c b/ldap/servers/slapd/libglobs.c
index b279e0bc..a4550b7a 100644
--- a/ldap/servers/slapd/libglobs.c
+++ b/ldap/servers/slapd/libglobs.c
@@ -525,6 +525,9 @@ static struct config_get_and_set {
 	{CONFIG_MAXBERSIZE_ATTRIBUTE, config_set_maxbersize,
 		NULL, 0,
 		(void**)&global_slapdFrontendConfig.maxbersize, CONFIG_INT, NULL},
+	{CONFIG_MAXSASLIOSIZE_ATTRIBUTE, config_set_maxsasliosize,
+		NULL, 0,
+		(void**)&global_slapdFrontendConfig.maxsasliosize, CONFIG_INT, NULL},
 	{CONFIG_VERSIONSTRING_ATTRIBUTE, config_set_versionstring,
 		NULL, 0,
 		(void**)&global_slapdFrontendConfig.versionstring, CONFIG_STRING, NULL},
@@ -4488,6 +4491,42 @@ config_get_maxbersize()
 }
 
 int
+config_set_maxsasliosize( const char *attrname, char *value, char *errorbuf, int apply )
+{
+  int retVal =  LDAP_SUCCESS;
+  slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
+
+  if ( config_value_is_null( attrname, value, errorbuf, 0 )) {
+        return LDAP_OPERATIONS_ERROR;
+  }
+
+  if ( !apply ) {
+        return retVal;
+  }
+
+  CFG_LOCK_WRITE(slapdFrontendConfig);
+
+  slapdFrontendConfig->maxsasliosize = atol(value);
+
+  CFG_UNLOCK_WRITE(slapdFrontendConfig);
+  return retVal;
+}
+
+size_t
+config_get_maxsasliosize()
+{
+  size_t maxsasliosize;
+  slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
+
+  maxsasliosize = slapdFrontendConfig->maxsasliosize;
+  if (maxsasliosize == 0) {
+    maxsasliosize = 2 * 1024 * 1024; /* Default: 2Mb */
+  }
+
+  return maxsasliosize;
+}
+
+int
 config_set_max_filter_nest_level( const char *attrname, char *value,
 		char *errorbuf, int apply )
 {
diff --git a/ldap/servers/slapd/proto-slap.h b/ldap/servers/slapd/proto-slap.h
index 12b0e431..6f8a3da6 100644
--- a/ldap/servers/slapd/proto-slap.h
+++ b/ldap/servers/slapd/proto-slap.h
@@ -320,6 +320,7 @@ int config_set_result_tweak(const char *attrname,  char *value, char *errorbuf,
 int config_set_referral_mode(const char *attrname, char *url, char *errorbuf, int apply);
 int config_set_conntablesize(const char *attrname, char *url, char *errorbuf, int apply);
 int config_set_maxbersize(const char *attrname,  char *value, char *errorbuf, int apply );
+int config_set_maxsasliosize(const char *attrname,  char *value, char *errorbuf, int apply );
 int config_set_versionstring(const char *attrname,  char *versionstring, char *errorbuf, int apply );
 int config_set_enquote_sup_oc(const char *attrname,  char *value, char *errorbuf, int apply );
 int config_set_basedn( const char *attrname, char *value, char *errorbuf, int apply );
@@ -442,6 +443,7 @@ char *config_get_referral_mode(void);
 int config_get_conntablesize(void);
 int config_check_referral_mode(void);
 ber_len_t config_get_maxbersize();
+size_t config_get_maxsasliosize();
 char *config_get_versionstring();
 char *config_get_buildnum(void);
 int config_get_enquote_sup_oc();
diff --git a/ldap/servers/slapd/sasl_io.c b/ldap/servers/slapd/sasl_io.c
index 7a63fcb4..4c2a97ea 100644
--- a/ldap/servers/slapd/sasl_io.c
+++ b/ldap/servers/slapd/sasl_io.c
@@ -215,6 +215,15 @@ sasl_io_start_packet(Connection *c, PRInt32 *err)
 
         LDAPDebug( LDAP_DEBUG_CONNS,
             "read sasl packet length %ld on connection %" PRIu64 "\n", packet_length, c->c_connid, 0 );
+
+        if (packet_length > config_get_maxsasliosize()) {
+            LDAPDebug( LDAP_DEBUG_ANY,
+                "SASL encrypted packet length exceeds maximum allowed limit (length=%ld, limit=%ld)."
+                "  Change the nsslapd-maxsasliosize attribute in cn=config to increase limit.\n",
+                 packet_length, config_get_maxsasliosize(), 0);
+            return -1;
+        }
+
         sasl_io_resize_encrypted_buffer(c->c_sasl_io_private, packet_length);
         /* Cyrus SASL implementation expects to have the length at the first 
            4 bytes */
diff --git a/ldap/servers/slapd/slap.h b/ldap/servers/slapd/slap.h
index 22451425..cca3178c 100644
--- a/ldap/servers/slapd/slap.h
+++ b/ldap/servers/slapd/slap.h
@@ -1764,6 +1764,7 @@ typedef struct _slapdEntryPoints {
 #define CONFIG_REFERRAL_MODE_ATTRIBUTE		"nsslapd-referralmode"
 #define CONFIG_ATTRIBUTE_NAME_EXCEPTION_ATTRIBUTE "nsslapd-attribute-name-exceptions"
 #define CONFIG_MAXBERSIZE_ATTRIBUTE "nsslapd-maxbersize"
+#define CONFIG_MAXSASLIOSIZE_ATTRIBUTE "nsslapd-maxsasliosize"
 #define CONFIG_MAX_FILTER_NEST_LEVEL_ATTRIBUTE "nsslapd-max-filter-nest-level"
 #define CONFIG_VERSIONSTRING_ATTRIBUTE "nsslapd-versionstring"
 #define CONFIG_ENQUOTE_SUP_OC_ATTRIBUTE "nsslapd-enquote-sup-oc"
@@ -1981,8 +1982,9 @@ typedef struct _slapdFrontendConfig {
   char *ldapi_gidnumber_type;   /* type that contains gid number */
   char *ldapi_search_base_dn;   /* base dn to search for mapped entries */
   char *ldapi_auto_dn_suffix;   /* suffix to be appended to auto gen DNs */
-  int slapi_counters;            /* switch to turn slapi_counters on/off */
-  int allow_unauth_binds;        /* switch to enable/disable unauthenticated binds */
+  int slapi_counters;           /* switch to turn slapi_counters on/off */
+  int allow_unauth_binds;       /* switch to enable/disable unauthenticated binds */
+  size_t maxsasliosize;         /* limit incoming SASL IO packet size */
 #ifndef _WIN32
   struct passwd *localuserinfo; /* userinfo of localuser */
 #endif /* _WIN32 */